The cryptographic transforms (digests, signatures and encryption) implementation is the main goal of "xmlsec-<crypto>" library. Most of the cryptographic transforms use default pushBin and popBin methods and provide custom execute method. The binary transform execute method processes data from the input buffer inBuf and pushes results to outBuf. The transform should try to consume and remove data from inBuf buffer as soon as the data became available. However, it might happen that current data size in the input buffer is not enough (for example, RSA-PKCS1 algorithm requires that all the data are available in one buffer). In this case, transform might keep the data in the input buffer till the next call to execute method. The "last" parameter of the execute indicates that transform MUST process all the data in the input buffer and return as much as possible in the output buffer. The execute method might be called multiple times with non-zero "last" parameter until the transforms returns nothing in the output buffer. In addition, the transform implementation is responsible for managing the transform status variable.

In adition to execute methods, signature, hmac or digest transforms MUST implement verify method. The verify method is called after transform execution is finished. The verify method implementation must set the "status" member to xmlSecTransformStatusOk if signature, hmac or digest is successfully verified or to xmlSecTransformStatusFail otherwise.

The transforms that require a key (signature or encryption transforms, for example) MUST imlpement setKeyReq (prepares the key requirements for key search) and setKey (sets the key in the transform) methods.